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Abstract  -  This  paper  presents  a  new  probabilistic 
approach  to  determine  survivability  of  reconfigurable 
systems  as  a  system-level  performance  metric  in  an 
operational  environment  In  contrast  to  known  methods 
of  estimating  survivability  in  terms  of  susceptibility  and 
vulnerability ,  the  proposed  method  (1)  includes 
directional  threats  on  various  subsystems  into  the 
analysis  and  (2)  provides  a  framework  for  operational 
information  fusion  processes  to  better  sustain 
unpredictable  or  hostile  environmental  disturbances.  In 
this  paper ,  we  distinguish  the  survivability  and  reliability 
metrics,  where  we  demonstrate  the  importance  of 
survivability  metric  in  a  dynamic  information  fusion 
process  for  an  operational  environment.  We  present  our 
main  result  using  a  piping  system  of  fluid  flow;  however, 
the  concept  easily  extends  to  other  flow  systems,  such  as 
power  networks,  computer  communication  networks, 
and  military  reconfigurable  information  systems,  etc. 
Survivability  of  these  large  scale  reconfigurable 
networks  depend  on  their  capability  of  assessing 
directional  threats,  situation  awareness,  and  their  ability 
to  dynamically  adapt  to  new  configurations.  The 
proposed  survivability  method  embedded  in  an 
information  fusion  environment  can  be  used  for  real 
time  dynamic  reconfiguration  of  large  scale  systems, 
optimization  and  routing  of  data  and  information,  and 
detect  and  mitigate  hardware  and  software  threats. 

Keywords:.  Survivability,  reliability,  fusion,  situation 
awareness,  situation  assessment. 

1  Introduction 

In  1990,  the  US  Department  of  Defense  defined 
information  fusion  as  ‘ a  technology  which  involves  the 
acquisition,  integration,  filtering,  correlation  and 
synthesis  of  useful  data  from  diverse  sources  for  the 
purposes  of  situation/environment  assessment,  planning, 
detecting,  verifying,  diagnosing  problems,  aiding  tactical 
and  strategic  decisions,  and  improving  systems 
performance  and  utility ’.  In  this  definition,  we  see  the 
importance  of  situation  awareness  (useful  data  gathering) 
and  situation  assessment  (decision  making).  The 
Information  Fusion  2005  panel  position  paper  [11] 
discussed  various  issues  and  challenges  presented  to  our 
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information  fusion  communities  on  how  to  determine 
situation  assessment.  In  particular,  different  information 
fusion  models  were  proposed  to  show  the  importance  of 
processes.  Blasch  et  al.  [10]  argued  the  importance  of 
incorporating  performance  metrics  for  dynamic  situation 
analysis  in  the  information  fusion  process.  Llinas  [16] 
lists  survivability  and  reliability  as  key  measures  of 
effectiveness  (MOE)  for  tracking,  communications,  and 
information  fusion.  To  that  end,  we  explore  techniques  to 
further  delineate  the  mathematical  nature  of  these  terms  in 
a  probabilistic  manner.  Additionally,  Byington  and  Garga 
[17]  proposed  a  failure  mode  effects  criticality  analysis 
(FMECA)  for  condition-based  maintenance  which  was 
determined  through  multisensor  fusion  for  predictive, 
preventative,  and  corrective  maintenance.  In  this  paper, 
we  contend  that  the  goal  of  situation  awareness  (whether 
it  be  a  user,  machine,  or  system)  is  situation  assessment  of 
one  performance  metric  -  survivability. 

Clearly,  the  human  is  not  only  species  on  this  earth 
that  has  information  fusion  processing  capability  to 
maintain  survivability.  Charles  Darwin  [15]  pondered  the 
issue  of  survivability  between  species’  adaptation  and 
environment  changes  in  his  famous  evolution  theory.  He 
referred  natural  selection  or  survival  of  the  fittest  as  a 
direct  result  from  variations.  In  other  words,  the  theory 
has  suggested  that  the  survivability  of  a  system  is  directly 
related  to  the  reconfigurability  of  the  system  due  to 
situation  assessment  of  the  environment.  Although  many 
engineering  damage  control  (survivable)  applications  or 
infrastructures  are  not  biological  in  nature,  they  are  still 
designed  to  survive  harsh  operation  environments  through 
system  modifications.  More  likely,  they  are  reconfigured 
when  they  cannot  operate  in  their  original  forms  as  the 
environment  changes.  In  these  types  of  engineering 
analyses,  Yoo  and  Smith  [1]  studied  how  soon  a  reliable 
system  requires  reconfiguration  by  using  a  term  called 
mean  time  between  critical  failures  (MTBCF).  They  did 
not  address  survivability  in  the  paper,  but  they  suggested 
the  importance  of  reconfiguration  to  prevent  system 
failure. 

Net-centric  operations  require  responsiveness  to 
threats,  vulnerabilities,  and  critical  failures  as  well  as 
methods  to  diagnose  situational  risks  [14].  Monitoring, 
measuring  and  mitigating  risk/threat  are  essential 
functions  for  fusion-system  operations.  Risk  is  the 
likelihood  of  a  given  threat  attacking  a  particular 
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vulnerability  and  the  resulting  impact.  [12,13].  The  goal  of 
risk  assessment  as  part  of  level  2/3  tacit  fusion 
management  is  to  enable  individuals  and  systems  to  isolate 
separate  risks  and  to  identify  potential  mitigation  options. 
The  process  of  identifying  risks  can  be  objective  process 
(such  as  part  failures)  and  subjective  process  (such  as 
adversarial  actions).  Selection  of  security  controls  based 
on  cost,  threat,  and  the  degree  of  risk  reduction  are  key  to 
fusion  system  survivability. 

Frank  [2]  showed  an  asymptotic  expression  of 
vulnerability  analysis  for  a  communication  network.  He 
extended  the  results  in  the  survivability  analysis  [3],  [4] 
for  the  command  and  control  communication  network.  He 
explained  the  difficulty  to  evaluate  survivability  due  to 
computation  complexity.  At  the  same  time,  he  expressed 
the  idea  of  computing  survivability  by  using  a  term  called 
killability.  Later  with  a  similar  idea,  Papanikolaou  and 
Boulougouris  [5]  addressed  design  aspects  of  survivability 
for  surface  naval  and  merchant  ships.  They  offered  a 
mathematical  formula  showing  how  to  compute 
survivability.  According  to  their  definition,  the 
survivability  Ps  is  calculated  as 

Ps  =  1  -Pk  =1  -  PsuPv, 

where  Pk  is  the  kill-ability,  Psu  is  the  susceptibility  and  Pv 
is  the  vulnerability.  This  formulation  is  very  intuitive  and 
a  top  down  approach.  Since  large  integrated  systems  often 
consist  of  many  subsystems,  such  as  power  modules,  com¬ 
munication  modules,  or  computation  modules,  etc,  they 
are  not  only  susceptible  for  failure  in  the  direction  of 
threats,  but  also  are  affected  by  cascade  failures  from 
other  interconnected  subsystems.  To  calculate  system’s 
survivability,  the  system  can  first  be  divided  into  these 
smaller  subsystems  in  terms  of  probability  of 
susceptibility.  The  vulnerability  of  the  system  is  directly 
dependent  on  the  reliability  of  subsystems.  As  a  result,  the 
survivability  formulation  for  a  reconfigurable  system 
becomes  complex  and  difficult  to  be  evaluated.  Knight 
and  Sullivan  [6]  presented  a  formal  definition  of  the 
survivability  of  an  information  system,  but  the  definition 
is  more  related  to  a  fault  tolerant  system  since  they  did  not 
consider  the  system  reconfiguablity  in  their  survivability 
analysis.  Varshney  et  al.  [7]  explained  the  difference 
between  reliability  and  survivability  in  the  context  of 
mean  time  between  failures  (MTBF),  however,  the 
definition  did  not  consider  the  system  reconfiguration.  To 
appropriately  characterize  survivability,  Westmark  [8] 
surveyed  thousands  of  research  papers  regarding 
survivability,  and  concluded  that  there  was  a  need  for 
defining  a  proper  computational  survivability  measure. 

In  this  paper,  we  present  a  probabilistic  approach  to 
compute  the  survivability  of  a  reconfigurable  piping 
system.  We  chose  a  piping  system  because  it  balances  the 
interplay  between  data  (water),  information 
management/routing  (pumps),  and  hardware  (machines). 
Defining  a  single  aspect  of  information  fusion  between 
data,  management,  and  infrastructure  will  require  further 


analysis  of  a  complex  system.  The  piping  system 
formulation  shows  the  significant  difference  between  the 
reliability  and  survivability  analysis.  We  also 
extend/incorporate  some  of  the  existing  reliability  models 
[9]  into  our  survivability  analysis. 

The  rest  of  the  paper  is  organized  as  follows.  The  main 
survivability  ideas  are  presented  in  section  2.  Simulation 
results  are  given  in  section  3.  We  conclude  the  paper  in 
section  4. 

2  System  Survivability  Analysis 

To  better  understand  the  reliability  and  survivability 
analysis,  we  briefly  describe  several  key  reliability 
models. 

A.  Reliability  Models 

Typically,  a  reliable  system  has  redundant  components  to 
sustain  system  function  if  a  few  components  fail.  For 
example,  there  are  various  studies  on  k-out-of-n:G  or  k- 
out-of -n:F  systems,  such  as  Kuo  and  Zuo  [9]: 

i)  The  k-ox\l-of-n:G  system  works  (well)  when  at  least 

k  components  work  among  all  n  components. 

ii)  The  k-out-of-n:F  system  fails  when  at  least  k  compo¬ 

nents  can  not  function  among  all  n  components. 

These  two  systems  are  equivalent  where  a  k-out-of-n:G 
system  is  the  same  as  a  (n-  k+l)-out-of-n:F  system.  The 
reliability  of  a  k-out-of-n:G  system  is  to  compute  the 
successful  probability  of  the  system.  For  example,  we  can 
calculate  the  reliability  of  a  k-out-of-n:G  system  with  n 
identical  components  whose  successful  probabilities  are  p 
as, 

n  (  n\ 

.  p'(1 

/=1  vv 

where  ^  j  is  the  combination  that  n  choose  /  Also,  the 

reliability  model  considers  the  uniform  threat  from  all 
directions.  In  other  words,  a  specific  threat  direction  does 
not  have  any  influence  on  the  successful  probability  of  the 
components  in  the  reliability  model,  or  the  reliability  stays 
the  same  regardless  of  where  the  threat  is  from. 

B.  Survivability  Models 

A  survivable  system  is  a  reliable  system  with 
reconfiguration  capability.  To  precisely  define 
survivability,  the  initial  form  (or  the  original 
configuration)  is  an  important  factor  which  is  also  directly 
related  to  where  the  threat  direction  is  from.  The  system 
can  perform  its  functions  by  varying  into  a  new  form 
when  it  cannot  survive  in  its  original  form  through 
situation  assessment.  We  define  the  survivability  of  a 
reconfigurable  system  as 


s  =  R(f0)+YJQ(fo^fM(fi)R(fi,ci)  (i) 

0 

where  R(f0)  is  the  reliability  of  an  initial  configuration  f0 
and  A(fi)  is  probability  of  successful  adaptation  into  a  new 
configuration  f.  Since  a  system  has  to  be  fault  tolerant,  the 
configuration  /0  requires  several  redundant  components  in 
order  to  provide  sufficient  reliability.  When  threats  come 
from  different  directions;  we  can  compute  reliability  of 
each  component  by  using  total  probability  theorem  as, 
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Fig.  1.  Two  Pumps  System 


p(c)  =  YJP(c\T])p(T]) 

j 

where  7}  is  the  direction  of  a  threat,  p(Tj  )  is  a-prior 
probability  of  the  threat,  and  p(c\Tj)  is  conditional 
reliability  of  component  c  based  on  a  particular  threat  7}. 
The  component  reliability  can  further  be  classified  as  a  k- 
out-of -n\G  (good)  system  reliability  metric  shown  as  R(f0) 
and  R(fh  ct).  This  formulation  includes  the  idea  of 
susceptibility,  reliability  as  well  as  adaptability  for 
possible  reconfiguration  solutions.  As  shown  in  the 
formulation,  there  is  a  term  Q(f0—>  ft )  that  implies  the 
system  requires  modification  from  its  initial  form. 

Since  the  modification  can  occur  under  different 
circumstances,  it  can  result  in  the  following  two  types  of 
survivability  analysis:  i)  adaptation  and  ii)  mutation. 

i)  Adaptation  survivability  refers  to  a  system  that 
reconfigures  itself  only  when  its  initial  form  fails  to 
work. 

ii)  Mutation  survivability  refers  to  a  system  that  can 
reconfigure  itself  even  when  its  initial  form  is  still 
performing  its  tasks. 

In  our  engineering  analysis  of  survivability,  we  simply 
investigate  the  adaptation  survivability  of  a  system 
because  many  survivable  engineering  applications  require 
a  new  configuration  to  sustain  operations  only  when  the 
initial  form  fails  to  work.  During  reconfiguration  states, 
engineers  and  technicians  can  be  dispatched  to  repair  the 
failed  components  in  their  initial  form.  It  is  apparent  that 
adaptation  survivability  is  a  more  applicable  analysis  for 
engineering  survivable  systems. 

C.  A  Simple  Survivable  System 

First,  we  consider  a  simple  survivable  system  shown  in 
Figure  1  where  the  system  has  two  pumps  and  only  one 
can  be  operated  due  to  a  limited  power  supply.  (This  is 
analogous  to  a  distributed  sensor  fusion  system) 


In  Figure  1  (as  well  as  in  subsequent  figures),  we  use  the 
symbol  x  (put  the  actual  picture  of  a  valve  here)  to 
indicate  that  a  valve  is  closed,  and  o  (picture)  for  an  open 
valve.  The  pump  supplies  enough  water  to  three  sprinkler 
pipes  in  the  middle  segment  of  the  system  at  any  given 
time.  We  refer  to  the  middle  segment  as  the  survivable 

space.  In  Figure  1,  pt  and  qt  denote  the  successful 

probability  and  the  failure  probability  of  the  pumps  1  and 
2.  As  we  can  see,  the  main  threat  is  from  the  right  hand- 
side  of  the  system  and  we  can  assume  that  px  <  p2  where 
Pi  is  the  successful  probability  of  the  pump  i.  However,  a 
reliable  model  will  not  consider  the  two  pumps  as  being 
different  because  the  system  is  unaware  of  where  the 
threat  is  coming  from.  Rather,  an  initial  form  can  be 
chosen  to  either  operate  pump  1  or  operate  pump  2.  After 
the  initial  form  is  chosen  to  operate  pump  1,  the  reliability 
is 

R  =P\, 

or  the  reliability  can  become  p2  if  pump  2  is  operated  in  its 
initial  form. 

The  values  of  px  and  p2  are  highly  dependant  on  where  the 
threat  is  coming  from.  If  a  reliable  and  reconfigurable 
system  can  identify  where  the  threat  is  coming  from  and 
reconfigure  itself  accordingly,  the  system  becomes 
survivable.  A  better  way  is  to  operate  the  pump  with  the 
lower  threat.  In  other  words,  the  appropriate  survivable 
system  is  to  operate  pump  2  and  reconfigure  itself  to 
operate  pump  1  if  pump  2  fails.  Here  we  have  a  survivable 
model  with  an  initial  form  of  operating  a  l-out-of-l:G 
system  for  pump  2  with  pump  1  as  a  backup.  If  pump  2 
fails,  there  are  four  reconfiguration  possibilities  to  open  or 
close  valve  1  and  valve  2. 


(a)  Survivable  Solution  1 


Fig.  2.  Pumps  Reconfiguration 

Among  them,  two  possibilities  enable  pump  1  to  supply 
water  flow  to  the  sprinkler  pipes  as  shown  in  Figure  2: 

i)  valve  1  is  on  and  valve  2  is  on, 

ii)  valve  1  is  on  and  valve  2  is  off. 

Consequently,  the  system  survivability  is  computed  by 
using  equation  (1)  as 

2 

5  =  R(fo)  +  2>(/o  ->  fi)Mfi)R(fi> pump  1) 

i= 1 

2  1 

=  P2+(h  4  P\  =P2  +  ^Pl^2 

where  q2  is  the  failure  probability  of  pump  2.  Conversely, 
we  can  define  the  nonsurvivability  as 

5  =  2  g(/„  ->  ft  )lMf,  )Q(fi  ,c,)  +  AifT)] ,  (2) 

zVO 

where  A(ft)  is  the  probability  of  successfully  adaptation, 
A(fi)  is  the  probability  of  failed  adaptation,  and  Q{f),  c?)  is 
the  failure  probability  of  newly  added  components  c,  in 
the  newly  reconfigured  form  f.  The  definition  is  relatively 
easy  to  understand  that 

i)  The  term  Q(f0  — »  ft)  indicates  the  probability  that 

a  new  form  fi  will  be  reconfigured. 

ii)  The  term  A(fi)Q(fi,  ct)  indicates  that  newly  compo¬ 

nents  Ci  fails  to  work  in  the  new  form/. 

iii) The  third  term  A(/-)  indicates  that  the  system 

cannot  be  updated  into  a  new  form/. 

These  conditions  all  produce  a  system  without  survivable 
options.  We  can  use  the  same  idea  to  compute  the  non¬ 
survivability  of  the  current  system  when  pump  2  fails  to 
work.  There  are  two  situations: 

i)  valve  1  is  on  but  pump  1  fails,  and 

ii)  valve  1  cannot  be  turned  on. 

In  both  conditions,  we  can  use  equation  (2)  to  calculate 
the  nonsurvivability  as, 


Interesting  enough,  we  can  also  verify  that  the  sum  of  the 
survivability  and  nonsurvivability  is  unity,  or 


1 


s  +  s - p2+—q2Pi+(h\  ~4i+— 


1 


1 


=  1. 


In  the  current  system,  we  can  easily  see  that  S  >  R.  It 
implies  that  a  survivable  system  can  have  a  higher 
successful  probability  than  a  reliable  system.  The 
survivable  system  is  capable  of  configuring  an  initial  form 
depending  on  where  the  threat  is  coming  from,  and  it  can 
reconfigure  itself  to  avoid  failures.  If  the  system  cannot 
identify  where  the  threat  is  coming  from,  its  survivability 
will  be  degraded.  For  the  same  system  shown  in  Figure  1, 
the  survivability  of  the  system  when  it  can  identify  the 
threat  correctly  is 

5  =  P2  +-Pi<h 

We  can  compare  it  with  another  system  that  identifies  the 
threat  as  coming  from  the  wrong  direction,  or  the  system 
operates  pump  1  in  its  initial  form.  The  survivability  of 
such  a  system  is 

5  =Pi+-p2(h 
Clearly,  we  can  calculate 

5-5  =[p2+^P\^-[p\+^P2% 

=  |(P2-Pl)^0. 


More  precisely,  we  prove  that  S  >  S  .  This  result  suggests 
that  a  reconfigurable  system  is  more  survivable  if  its  initial 
form  is  determined  by  avoiding  the  threat.  In  other  words, 
a  threat  awareness  (or  situation  awareness)  and 
reconfigurable  system  has  a  clear  advantage  in  terms  of 
better  survivability.  Mathematically,  we  show  that  a 
reconfigurable  system  has  better  survivability  if  the  system 
has  threat  awareness  capability.  Nonetheless,  we 
demonstrate  the  difference  between  the  survivability  and 
reliability  analysis. 

D.  A  More  Complex  Three  Pumps  System 

We  study  another  more  complex  survivable  system  with 
three  pumps  as  shown  in  Figure  3.  The  system  is  capable 
of  operating  two  pumps  simultaneously. 


S  —  q2 


n 

v 


v3 

(p2.q2) 


Fig.  3.  Three  Pumps  System 


Fig.  4.  Reconfiguration  of  Three  Pumps  System 


As  indicated  in  the  figure,  the  main  threat  is  from  the 
direction  of  the  pump  1.  A  viable  initial  form  f0  is  to 
operate  pump  2  and  pump  3.  Two  pumps  supply  water 
flow  into  the  sprinkler  pipes  as  valves  1  and  2  are 
switched  on.  Accordingly,  there  are  two  possible 
operation  modes  for  pumps  2  and  3: 

i)  2-out-of-2:G  with  1  backup  system  and 

ii)  7-out-of-2:G  with  1  backup  system. 

We  consider  the  adaptation  survivability  where  the  system 
reconfigures  itself  only  when  its  initial  form  fails  to  work. 

Mode  I :  a  2-out-of-2:G  with  1  backup  system: 

In  this  mode,  the  system  works  when  both  pumps  (pumps 
2  and  3)  are  operating.  The  reliability  of  the  initial  form  f0 
is 

R(f0)  =  Pi ■ 


It  suggests  that 

G(/o  ->/l)  =  P2?2- 

To  survive  by  using  form  /;,  the  following  adaptation 
conditions  are  required  in  addition  to  pump  1  being  in 
successful  operation: 

i)  valve  2  is  off,  and 

ii)  valve  3  and  valve  4  are  on. 

It  implies  that  A(fl)  =  —  because  there  is  one  eighth  of 
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the  probability  that  the  corresponding  valves  are  switched 
into  the  correct  states.  Also,  the  reliability  of  the  new  form 
depends  on  the  successful  probability  of  pump  1,  or 
R(fhpumpl)=pi.  Similarly,  we  can  compute  the 
probability  for  form  f2  to  sustain  survivable  functions. 
Hence,  the  survivability  of  this  system  is 


If  either  pump  2  or  pump  3  fails,  the  system  must 
reconfigure  itself  to  operate  pump  1  for  the  survivable 
mission.  However,  if  both  pumps  2  and  3  fail,  the  result 
will  be  that  the  system  is  unable  to  operate.  If  either  pump 
fails,  there  are  two  survivable  forms: 

i)  form  fi  that  requires  pumps  1  and  3  to  work  when 

pump  2  fails,  and 

ii) form  f2  that  requires  pumps  1  and  2  to  work  when 

pump  3  fails. 

The  new  form/;  is  shown  in  Figure  4. 


S  =  R(f b)  +  2 g(/o  ->  £ )A(Ji )R(fi ,  pump  1) 

i=  1 

=  pI+^Pi^P^  p\  +^PiP2<h- 

We  can  also  note  that  we  did  not  compute  the  survivable 
form  in  which  both  pumps  2  and  3  fail.  In  this  form,  the 
system  cannot  survive  because  the  system  is  operated  in 
the  2-out-of-2:G  model.  When  both  pumps  fail,  there  is  no 
possibility  of  operating  one  pump  to  sustain  the  survivable 
function. 


Mode  II:  a  l-out-of-2:G  with  1  backup  system: 

This  mode  is  operated  a  little  differently  than  the  previous 
mode.  The  system  works  when  either  pump  (pump  2  or 
pump  3)  or  both  pumps  (pumps  2  and  3)  are  working.  The 
reliability  of  the  initial  form  f0  is 


R(fo)  =  P2+2P2<h- 


Unlike  the  previous  mode,  the  system  requires  new 
configurations  only  when  both  pumps  2  and  3  fail  to 
work.  The  system  will  reconfigure  when  both  pump  2  and 
pump  3  fail.  There  are  two  new  forms  as  shown  in  Figures 
5(a)  and  5(b), 


s  =  R(fo) +  ^Q(fo  fi)A{fi  )R(fi,  pump!) 


i= 1 


'■  +  1Pl(h  +  2|  <?2  -  Pi  I  =  p\  +  2  Pi'll  +  Pi'll- 


Intuitively,  we  know  that  mode  II  has  better  survivability 
than  mode  I.  In  mathematics,  it  can  also  be  validated  in 
the  survivability  results  computed  from  both  modes.  We 
can  extend  the  system  into  a  more  general  form.  The 
system  is  a  k-out-of-n:G  model  with  m  backup 
components.  There  can  be  various  situations  that  we  can 
use  to  compute  the  survivability  of  such  a  system. 
However,  the  adaptation  depends  highly  on  the  design  of 
topology  or  arrangements  of  system  components.  In  this 
paper,  we  have  considered  two  topologies: 

i)  line  topology  and 

ii)  ring  topology. 


(P2,q2 


(b)  Survivable  Solution  2 
Fig.  5.  Three  Pumps  Reconfiguration 


This  paper  is  not  focused  on  determining  which  topology 
is  a  better  survivable  design,  but  it  shows  the  significance 
of  design  which  can  highly  influence  the  system’s 
survivability.  Also,  we  demonstrate  the  importance  of 
survivability  in  situation  assessment.  When  an 
information  fusion  process  utilizes  survivability  as  the 
performance  metric,  situation  awareness  becomes  more 
important  to  gather  useful  data  for  sustaining  the  system’s 
successful  operation. 


3  Simulations 

For  the  examples  presented,  we  were  interested  in  the 
effects  for  the  3-pump  system  configurations  representing 
either  the  communications  data  router  for  a  distributed 
fusion  system. 


i)  form/7  that  requires  pump  1  to  work  and  valve  4  to 

be  on,  and 

ii)  form  f2  that  requires  pump  1  to  work  and  valve  5  to 

be  on. 


It  implies  that  Q(f0  ->  fx )  =  Q(f0  ->  f2 )  =  qj  and 


because  .here  is  one  half  of  ,he 


probability  that  the  corresponding  valves  are  switched  into 
the  correct  states.  Also,  the  reliability  of  the  new  form  is 
depended  on  the  successful  probability  of  pump  1,  or 
Rif i, pump  1)  =  Rif 2, pump  1)  =  px.  Consequentially,  the 
survivability  of  this  system  is 


Example  1:  a  2-out-of-2:G  with  1  backup  system 

In  this  example,  we  consider  the  recovery  of  a  system  due 

to  a  failure  in  a  single  communication  channel. 


From  the  simulation,  we  see  that  the  survivability  (red 
dashed  o)  and  the  reliability  (blue  dashed  x)  in  Figure  6. 
The  survivability  and  reliability  are  almost  the  same  in  the 
performance  evaluation,  but  the  survivability  can  be  seen 
clearly  better  than  the  reliability  metric  as  the  components 
become  more  and  more  reliable.  It  strongly  suggests  that  a 
reconfigurable  system  has  better  performance  measure 
compared  to  a  system  without  reconfiguration  capability. 


Example  2:  a  l-out-of-2:G  with  1  backup  system: 

Here,  we  simulate  the  ability  of  a  fusion  system  with  the 
capability  to  recover  from  threats,  breakdowns,  and  other 
processing  errors  in  a  l-out-of-2:G  system.  The  simulation 
result  is  shown  in  Figure  7. 


study  could  potentially  be  used  to  analyze  other  systems’ 
survivability  such  as  power  network  systems,  computer 
network  systems,  military  reconfigurable  information 
systems,  and  other  large  reconfigurable  network  systems. 
Their  fundamental  frameworks  are  the  systems’  capability 
to  assess  survivability  and  dynamically  aware  of  the 
situation  changes.  Consequently,  we  can  generalize  these 
systems  in  the  same  framework  and  investigate  their 
survivability  in  the  exactly  same  context.  More 
importantly,  we  contended  survivability  is  a  better 
performance  metric  for  an  information  process  for 
situation  assessment. 
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